Andrew Mabbitt, cyber security expert and ethical hacker at Fidus Information Security, explores how penetration testing can instill confidence in remote storage.
Cloud computing is everywhere nowadays – and with good reason because it does make it easier for companies to run their operations. It saves money and saves actual floor space and can even reduce the necessary number of employees necessary on the payroll.
Over the last decade or so there has been an increase in the effectiveness and use of cloud computing. As a result more and more companies are now moving most or all of their computer services into the cloud.
While this does mean that they will fully benefit from a lot of the huge advantages that come from running operations from the cloud, it also presents its own unique challenges to companies too.
Penetration testing uses hacker techniques to test the vulnerability of computing systems
This is particularly true when it comes to the subject of security. Security has always been, and always should be, a primary concern for any business that deals with the transfer or storage of sensitive information.
Penetration testing is a form of ethical hacking that involves using hacker techniques to test the vulnerability of computing systems. With the advent of cloud computing, penetration testing can be used as a way of assessing vulnerable spots and assessing the risk to them.
So, if you have cloud computing you should give serious consideration to using penetration testing as part of your security processes.
What is cloud penetration testing?
This form of vulnerability assessments involves testing cloud applications, portal configurations and the infrastructure in general hosted within in various cloud providers including:
- Skyscape (UK Cloud)
- Amazon AWS
- VMware
- Microsoft Hyper-V
- Microsoft Azure
It could be if your applications or servers have not been configured correctly at the installation stage or once they were migrated to the cloud, that you are exposed to vulnerabilities.
How does cloud penetration testing benefit your business?
Vulnerability assessments and/or penetration testing in the cloud provide you with the assurance that the security controls and systems tested are configured properly in line with the current best practices with regards to security.
It also ensures that there are no publicly known or common vulnerabilities within the system being tested at the time the test was undertaken.
When vulnerabilities are found, they can then be properly addressed before an attack occurs as opposed to finding out they exist after the fact when the damage has been done.
Penetration testing can help you to do the following:
- Manage and handle vulnerabilities
- Avoid the introduction of new issues when you are migrating to cloud-based environments and applications
- Avoid additional cost and damage to your company’s industry reputation that you could incur as the result of a breach in your computer system’s security
- Provide you with evidence that your cloud based services are fully compliant with certification and regulatory standards
- Provide your customers, clients, contractors, suppliers and anyone else that works alongside your business that the data stored on the cloud in reference to them is completely safe and secure
What kind of penetration testing and vulnerability assessments exist?
The companies that offer penetration testing and vulnerability assessments with regards to an organisation’s cloud computing, provide many of the following types of services, such as:
- Penetration testing on applications
- Penetration testing and vulnerability assessments internally (from actually inside the Cloud)
- Reviews of server builds
- Reviews of the firewall reviews and network devices
- Review of the configuration of the cloud computing portal
- Penetration testing and vulnerability assessments with regards to the external side of things, for all services that are exposed to internet users.
Some important aspects to keep in mind
There are some things you need to bear in mind that make cloud computing penetration testing different from non cloud-based. You need to, for instance, seek out the approval from your cloud hosting provider for penetration testing to be run, before you can actually organise this form of testing.
Most penetration testing companies will be able to help you though with making sure you have the relevant approvals and procedures related to testing. They will normally have guidance on what to expect.
You need to make sure that the penetration testers that are used by the company you work with are fully certified to carry out this work. CREST is one of the official bodies that monitors and certifies individuals and companies.
You may be curious too, as to how often this form of testing and assessments should be run, and similarly to the fact that virus software and other net security should be updated regularly; you need to ensure that penetration testing is carried out more often than not.
Obviously, if you are completely new to cloud computing and penetration testing, you may be apprehensive and feel out of your depth. However, the benefits are undeniable when it comes to penetration testing, particularly if you are moving some or all of your services on to the cloud.
We have hopefully helped to show that while you shouldn’t just dive into investing in penetration testing for your cloud services, that it is something you definitely need.
Listen to the IFSEC Insider podcast!
Each month, the IFSEC Insider (formerly IFSEC Global) Security in Focus podcast brings you conversations with leading figures in the physical security industry. Covering everything from risk management principles and building a security culture, to the key trends ahead in tech and initiatives on diversity and inclusivity, the podcast keeps security professionals up to date with the latest hot topics in the sector.
Available online, and on Spotify, Apple Podcasts and Google Podcasts, tune in for an easy way to remain up to date on the issues affecting your role.
